genenetwork-development: add gn-auth-test-flask and sudo rule

Add gn-auth-test-flask, a function taking a genenetwork-configuration
and returning a program-file that wraps flask with the gn-auth
environment. Paths (AUTH_DB, GN_AUTH_SECRETS, etc.) flow in from the
config record via match-record — no hardcoding.

Instantiate %gn-auth-test-flask from %genenetwork-configuration as the
default, and add a sudo rule allowing laminar to run it as the
genenetwork user for auth-flow test setup and teardown.

Frederick reviewed and revised the code to make sure it is good, and
tested it, fixing bugs to make sure it actually works and is fit for
purpose.

Co-authored-by: Frederick Muriuki Muriithi <fredmanglis@gmail.com>

1 files changed, 68 insertions, 1 deletions

diff --git a/genenetwork-development.scm b/genenetwork-development.scm
index 08e50eb..966b0fa 100644
--- a/genenetwork-development.scm
+++ b/genenetwork-development.scm
@@ -1527,6 +1527,69 @@ gn-guile to display RDF pages."
    (xapian-db-path %xapian-directory)))
 
 
+(define (gn-auth-test-flask config)
+  "Return a program-file that wraps flask with the gn-auth environment
+derived from CONFIG.  All arguments are forwarded to flask, allowing
+the caller to invoke any flask CLI command (create-test-users,
+delete-test-users, etc.) as the genenetwork user via sudo."
+  (match-record config <genenetwork-configuration>
+    (auth-db-path gn-auth-secrets gn-auth-repository repositories-checkout-directory)
+    (let* ((gn-auth-profile (profile
+                              (content (package->development-manifest gn-auth))
+                              (allow-collisions? #t)))
+           (gn-auth-conf (mixed-text-file
+                          "gn-auth-test.conf"
+                          "AUTH_DB=\"" auth-db-path "\"\n"
+                          "GN_AUTH_SECRETS=\"" gn-auth-secrets
+                          "/gn-auth-secrets.py\"\n"
+                          "CLIENTS_SSL_PUBLIC_KEYS_DIR=\"" gn-auth-secrets
+                          "/clients-public-keys\"\n"
+                          "SSL_PRIVATE_KEY=\"" gn-auth-secrets
+                          "/gn-auth-ssl-private-key.pem\"\n"))
+           (gn-libs-checkout (string-append repositories-checkout-directory "/gn-libs"))
+           (gn-auth-checkout (string-append repositories-checkout-directory "/gn-auth")))
+      (program-file
+       "gn-auth-test-flask"
+       (with-imported-modules '((guix build utils))
+         #~(begin
+             (use-modules (guix build utils))
+
+             (define (hline)
+               "Print a horizontal line 50 '=' characters long."
+               (display (make-string 50 #\=))
+               (newline)
+               (force-output))
+
+             (define (show-head-commit)
+               (hline)
+               (invoke #$(file-append git-minimal "/bin/git")
+                       "log" "--max-count" "1")
+               (hline))
+             (with-directory-excursion #$gn-libs-checkout
+               (show-head-commit))
+             (with-directory-excursion #$gn-auth-checkout
+               (show-head-commit))
+
+             (setenv "PYTHONPATH"
+                     (string-append #$gn-libs-checkout ":"
+                                    #$gn-auth-checkout ":"
+                                    #$gn-auth-profile
+                                    "/lib/python3.11/site-packages"))
+             (setenv "REQUESTS_CA_BUNDLE"
+                     (string-append #$gn-auth-profile
+                                    "/etc/ssl/certs/ca-certificates.crt"))
+             (setenv "GN_AUTH_PROFILE" #$gn-auth-profile)
+             (setenv "GN_AUTH_CONF" #$gn-auth-conf)
+             (setenv "HOME" "/tmp")
+             (setenv "AUTHLIB_INSECURE_TRANSPORT" "true")
+             (apply invoke
+                    (string-append #$gn-auth-profile "/bin/flask")
+                    (cons* "--app" "gn_auth.wsgi:app"
+                           (cdr (program-arguments))))))))))
+
+(define %gn-auth-test-flask
+  (gn-auth-test-flask %genenetwork-configuration))
+
 (operating-system
   (host-name "genenetwork-development")
   (timezone "UTC")
@@ -1552,7 +1615,11 @@ gn-guile to display RDF pages."
                     (file-append shepherd "/bin/herd") " stop gn-auth, "
                     (file-append shepherd "/bin/herd") " restart gn-auth\n"
                     ;; Permit the acme user to restart nginx.
-                    "\nacme ALL = NOPASSWD: " (file-append shepherd "/bin/herd") " restart nginx\n"))
+                    "\nacme ALL = NOPASSWD: " (file-append shepherd "/bin/herd") " restart nginx\n"
+                    ;; Permit the laminar user to run gn-auth test setup/teardown
+                    ;; commands as the genenetwork user.
+                    "\nlaminar ALL = (genenetwork) NOPASSWD: "
+                    %gn-auth-test-flask "\n"))
   (services (cons* (service forge-service-type
                             (forge-configuration
                              (projects (list transform-genenetwork-database-project